It should be clear at this stage that carefully categorising cyber attacks using a well-thought-out definition excludes a great many types of activity typically held-up by journalists, policymakers, and others as cyberterrorism from being conceived as such. Journalists, for example, regularly mix mention of cyberterrorism with terrorist ‘use’ of the Internet, hacktivism (i.e. activist hacking), hacking, and even cyberwar, as if these activities are all on a par with each other or even indistinguishable. Newspaper headlines such as ‘Cyber Terror is the New Language of War’ (Dorgan 2013), ‘Cyber Spies Terror War; MoD and Treasury Targeted’ (Riley 2011), and ‘Terrorists “Gaining Upper Hand in Cyber War”’ (The Independent 2010) are prevalent. Taking the terrorism components of cyberterrorism seriously rather than myopically focusing on its cyber aspects provides considerable clarification. Application of Denning’s criteria having eliminated everything from website defacements to Stuxnet from the domain of cyberterrorism, there is nonetheless a range of cyber activities that, were they to have a political motive and a message-generation component and that resulted in massive disruption or violence, could—would?—be termed cyberterrorism. So why haven’t we yet seen any such attacks?
The position adopted in this chapter is that there are a number of factors that distinguish cyberterrorism from ‘real world’ terrorism that cause cyberterrorism to remain an outside threat. Cyber-based activities, it will be argued herein, don’t tend to work as terrorism, and the domination of debate in this area by ‘The IT Crowd’ (Singer & Friedman 2014)—rather than, if you like, ‘The Terrorism Studies Crowd’—has skewed assessment of risk. From a terrorism perspective, the costs largely outweigh the significantly less than assured destructive capacities and publicity benefits likely to accrue to a cyberterrorist attack (compare with Wilson, this volume). This chapter concentrates on four major factors that weigh against the likelihood of cyberterrorism occurring: (i) cost factor; (ii) complexity factor; (iii) destruction factor; and (iv) media impact factor. Denning has observed that “For a politically-motivated cyber-attack to be considered an act of cyber-terror, it would have to be serious enough to actually incite terror on a par with violent, physical acts of terrorism such as bombings” (Denning 2012, 678). Each of these factors will therefore be considered not just in respect of cyberterrorism, but also in respect of ‘Vehicle-Borne Improvised Explosive Devices’ (VBIEDs) or, in common parlance, ‘car bombs.’ No act of cyberterrorism has ever yet occurred, car bombing, on the other hand, has a long and bloody globe-spanning history and continues to prove a spectacularly attractive terrorist option (Davis 2008). Following a detailed weighing-up of the pros and cons of cyber-attack versus car bombing the conclusion arrived at is that traditional low-tech ‘real world’ terrorist attacks will continue to be more effective and therefore ‘attractive’ than their cyber variant for some time to come.
This section compares instances of car bombing with non-instances of cyberterrorism. This has some difficulties as an approach, as one might imagine. It is rather difficult to compare things that have an actual existence and can therefore be described, counted, costed, etc. and those that do not. The seeming implausibility of such an undertaking notwithstanding, the insistence of journalists, policymakers, IT security professionals, and others that catastrophic cyberterrorism is imminent requires analysis and counter-argument. Those involved in the cyberterrorism debate cannot draw on either history or experience to bolster their positions, as a major cyberterrorist incident has never yet occurred. For this reason, different scenarios or stories about the possible course of future events are providing the grounds on which decisions must be made. The upshot of this is that a multitude of actors with their various, and often divergent, interests are competing with each other by means of their versions of the future, which are particularly subject to political exploitation and instrumentation (Deibert 2002, 118). Cyberterrorism has thus taken on a rather grandiose ‘sci-fi’ character. The comparison below is therefore by way of a reality check in which some of those potential attacks that would fit Denning’s definition of cyberterrorism are compared with a form of terrorism that is so contemporarily ‘doable’ that in some countries and regions it has come to be mundane or commonplace: VBIED attacks.
‘Vehicle-Borne Improvised Explosive Device’ (VBIED) is the term used to describe a ‘home-made’ as opposed to off-the-shelf explosive device housed and delivered in a vehicle. The most common type of VBIED is a car bomb (see, for example, Table 6.1), but a range of other vehicles from bicycles to boats have been employed. Some analysts even consider the planes on 9/11 as VBIEDs, albeit these were not carrying explosives additional to their fuel. Car bombs are remarkably effective weapons as they offer a highly innocuous way to transport large amounts of explosives and/or flammable material to a target while the content of the vehicle’s fuel tank lends the blast additional power and the body of the vehicle itself produces copious shrapnel. In recent years, suicide VBIEDs have been used extensively, including in Iraq (see Table 6.1), Afghanistan, and elsewhere. Other countries or conflicts in which VBIEDs have been widely deployed include Colombia, India, Israel, Lebanon, Northern Ireland, Pakistan, Russia, and Sri Lanka. VBIED attacks have been chosen for comparison with cyberterrorism in this chapter precisely because of their long history, wide geographical spread, and contemporary ubiquity, but also because this form of attack is neither the easiest nor the most complex type of terrorism. It is not the cheapest or the most expensive. It is neither the flashiest nor the most attention-getting. It might be described as mid-range terrorism and thus an appropriate comparator.